[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys
From: |
Daniel Kiper |
Subject: |
[SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys |
Date: |
Tue, 2 Mar 2021 19:01:26 +0100 |
From: Daniel Axtens <dja@axtens.net>
NILFS2 has up to 7 keys, per the data structure. Do not permit array
indices in excess of that.
This catches some OOB reads. I don't know how controllable the invalidly
read data is or if that could be used later in the program.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/nilfs2.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
index 082326f38..20053caf5 100644
--- a/grub-core/fs/nilfs2.c
+++ b/grub-core/fs/nilfs2.c
@@ -569,6 +569,11 @@ grub_nilfs2_btree_lookup (struct grub_nilfs2_data *data,
static inline grub_uint64_t
grub_nilfs2_direct_lookup (struct grub_nilfs2_inode *inode, grub_uint64_t key)
{
+ if (1 + key > 6)
+ {
+ grub_error (GRUB_ERR_BAD_FS, "key is too large");
+ return 0xffffffffffffffff;
+ }
return grub_le_to_cpu64 (inode->i_bmap[1 + key]);
}
@@ -584,7 +589,7 @@ grub_nilfs2_bmap_lookup (struct grub_nilfs2_data *data,
{
grub_uint64_t ptr;
ptr = grub_nilfs2_direct_lookup (inode, key);
- if (need_translate)
+ if (ptr != ((grub_uint64_t) 0xffffffffffffffff) && need_translate)
ptr = grub_nilfs2_dat_translate (data, ptr);
return ptr;
}
--
2.11.0
- [SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big, (continued)
- [SECURITY PATCH 070/117] term/gfxterm: Don't set up a font with glyphs that are too big, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 064/117] script/execute: Don't crash on a "for" loop with no items, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 069/117] video/readers/jpeg: Don't decode data before start of stream, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 068/117] video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du(), Daniel Kiper, 2021/03/02
- [SECURITY PATCH 072/117] fs/hfsplus: Don't fetch a key beyond the end of the node, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 071/117] fs/fshelp: Catch impermissibly large block sizes in read helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 082/117] io/gzio: Bail if gzio->tl/td is NULL, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 078/117] fs/jfs: Catch infinite recursion, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 073/117] fs/hfsplus: Don't use uninitialized data on corrupt filesystems, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 083/117] io/gzio: Add init_dynamic_block() clean up if unpacking codes fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 079/117] fs/nilfs2: Reject too-large keys,
Daniel Kiper <=
- [SECURITY PATCH 077/117] fs/jfs: Limit the extents that getblk() can consider, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 084/117] io/gzio: Catch missing values in huft_build() and bail, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 086/117] disk/lvm: Don't go beyond the end of the data we read from disk, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 087/117] disk/lvm: Don't blast past the end of the circular metadata buffer, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 089/117] disk/lvm: Do not crash if an expected string is not found, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 085/117] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 091/117] disk/lvm: Sanitize rlocn->offset to prevent wild read, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 096/117] kern/parser: Introduce process_char() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 097/117] kern/parser: Introduce terminate_arg() helper, Daniel Kiper, 2021/03/02
- [SECURITY PATCH 080/117] fs/nilfs2: Don't search children if provided number is too large, Daniel Kiper, 2021/03/02